External table access

As administrator, you must set up one of several authorization options to allow users
to access external tables.

External tables reside by default in /warehouse/tablespace/external on
HDFS. To specify some other location of the external table, you need to include the
specification in the table creation statement as shown in the following example:

Hive assigns a default permission of 777 to the hive user, sets a umask to
restrict subdirectories, and provides a default ACL to give Hive read and write access to all
subdirectories. External tables in HDP 3.0 support the following permissions and authorization
models:

SBA

SBA and Ranger

Ranger

You can use the mixed mode, SBA and Ranger, for low-level analytical processing of external
tables.

Using the SBA permissions model

You must add Access ACLs to allow groups or users to create databases and tables in the space
governed by SBA. You are authorized to query a table if you have file-level access to the
underlying data. You configure impersonation in HiveServer to run operations on behalf of an
end user. You cannot use LLAP.

Using the SBA and Ranger example

Assume that you are an administrator who creates a sales database and gives the sales group
read-write permissions to the sales directory. This includes Default
ACLs for the sales group to read from and write to the database. Users in the sales group
set doAs=true, and are authorized under SBA to create external tables.
Given the ACLs, both Hive and sales users can access all files and partitions.

To restrict certain users from accessing all files and partitions, you can use
Ranger. Hive enforces access; however, if you give a sales user fewer options for accessing
the tables through SBA, for example by setting a user's HDFS access to tables to read-only,
Ranger cannot control that user's access.

Using the Ranger authorization model

If you now disable SBA and use only Ranger to give a specific user, who is not in the sales
group, permission to create external tables in the sales-report database, the user can log
in, use LLAP, and create a database. With Default ACLs in place, sales group users can also
access the table.